National Public Data confirms massive data breach included Social Security numbers

National Public Data, which aggregates data to provide background checks, has confirmed it suffered a massive data breach involving Social Security numbers and other personal data on millions of Americans.

The Coral Springs, Florida company posted on its website a notice that “there appears to a have been a data security incident that may have involved some of your personal information. The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024.”

News about the breach first came from a class action lawsuit filed in U.S. District Court in Fort Lauderdale, Florida, and first reported on by Bloomberg Law. Stolen from National Public Data (NPD) were 2.9 billion records including names, addresses, Social Security numbers and relatives dating back at least three decades, according to law firm Schubert, Jonckheer & Kolbe, which filed the suit.

NPD said the breached data included names, email addresses, phone numbers and mailing addresses, as well as Social Security numbers. The company said it is cooperating with investigators and has “implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems.”

How to check to see if your Social Security number, data were in breach

Cybersecurity firm Pentester said it got the data and created a tool you can use to see if your information is in the breach – it shows names, addresses, address histories, and social security numbers. You will find it at npd.pentester.com.

Since financial institutions use Social Security numbers on applications for loans and credit cards and on investments, having that information that information available to threat actors poses a serious risk, Pentester.com cofounder Richard Glaser said in an advisory on the company website.

He also suggested freezing credit reports. “Names, addresses and phone numbers might change but your social security number doesn’t,” Glaser said.

Data breach: How to protect your credit

NPD also advised consumers to “closely monitor your financial accounts and if you see any unauthorized activity, you should promptly contact your financial institution.” Consumers might want to get a credit report and get a fraud alert on their credit file, the company said.

Consumers should do more than that and freeze their credit report, Odysseas Papadimitriou, the CEO of personal finance site WalletHub, told USA TODAY. “Placing a fraud alert is not as effective as freezing your report,” he said.

“A fraud alert is more of a heads up to lenders, which they can easily ignore. It doesn’t do much in practice,” Papadimitriou said. “A freeze, on the other hand, stops fraud in its tracks by preventing identity thieves from opening accounts in your name.”

He and other security experts suggest consumers take that step because the personal data is likely in the hands of hackers.

The class action suit alleges it was cybercriminal group USDoD that accessed NPD’s network and stole unencrypted personal information. Then, the group posted a database it said had information on 2.9 billion people on the dark web on about April 8, 2024 seeking to sell it for $3.5 million.